Johnny Xmas

Since the Second Industrial Revolution, technology has been advancing at a rate beyond anyone's estimates. That means us old folks got to hack a whole lot of awesome stuff in our short lifetimes, much of which is already long since obsolete. Here, Johnny Xmas will deliver one of his famous "When I Was Your Age" rants, this time aimed at the 1990's and the Rise of the Internet, and the explosion of the hacker community that happened back then, just as it is happening now. Topics covered will probably include cable TV piracy, wardialing, offensive payphonery, mainframe hacking, "Hackers Vs. Crackers", the mere difficulty of Internet & computer access, and how so many of the "modern" web exploits you use today are really decades old.

Zee Abdelnabi

This talk is going to focus on being successful interacting with others in your work space. People have their own firewalls and we setup the interaction rules. Do we want to allow or block this person in our comfort zone? I will go over security techniques on how navigate different personalities using traditional hacking techniques.
- Determine what "operating system" they are running
- What patches are in place
- What vulnerabilities you can exploit
- What configuration issues does this person have?
Which then result in being able to work with different personalities based on what the hacking results tell you?

Mike Larkin

Until recently, systems would allocate writable memory as executable by default. W^X is a memory protection policy that states that a page of memory should not be writable and executable at the same time. For many years OpenBSD has had user-mode support for W^X, but until recently the kernel support for W^X on amd64 and i386 platforms had received less attention. This talk will contain a brief history of W^X protection mechanisms present in OpenBSD and detail the recent effort to make the kernel W^X support as robust as possible. The talk will describe the challenges faced in both identifying the regions to be protected, and ensuring the W^X policy was enforced across all of them. The talk will also detail the special challenges faced while upgrading the i386 hardware platform's legacy page table format to a version that supports W^X more easily.

Benjamin Brown

Doxxing is the Internet-based practice of researching and broadcasting personally identifiable information about an individual. It is also a scourge on our internet lives that can quickly boil over into the physical realm. Often wielded as a weapon of hate or manipulation and a tactic for intimidation doxxing easily leads to real-world threats of violence, financial harm, sexual assault, career damage, or even murder. Examples of these impacts can be seen surrounding the recent events of 'GamerGate' through the targeting of Anita Sarkeesian, Felicia Day, Tara Long, and Brianna Wu. Doxxing also often leads to another tragic outcome; that of targets for hate being misidentified leading to unaffiliated individuals becoming the subjects of attack. Occurrences of this can be found in such online sagas as Anonymous vs. Scientology, the Amanda Todd case, and the incorrect fingering of Sunil Tripathi as the Boston Bomber. Given the real world impacts of being doxxed what can we do to protect ourselves, our friends, and our loved ones? In this talk I will highlight common methods employed by doxxers as well as methods to safeguard the information they seek. I will move from the easy wins and low-hanging fruit, with an eye for practicality, to the more complex and long-term defenses employed by professionals. While this is a pertinent topic for everyone I believe it is especially important for those who's livelihoods involve spending copious amounts of time interacting with the internet. Our Doxxing attack surfaces are larger than those for others.

Jean-Francois Cloutier

John Menerick

Backdooring Git (English talk)

Join John Menerick for a fun-filled tour of source control management and services to talk about how to backdoor software. We will focus on one of the most popular, trendy SCM tools and services out there – Git and GitHub. Nothing is sacred. Along the way, we will expose the risks and liabilities one is exposed to by faulty usage and deployments. When we are finished, you will be able to use the same tools and techniques to protect or backdoor popular open source projects or your hobby project.

Kent Backman

Inside Terracotta VPN (English talk)

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). Operating with more than 1500 end nodes around the world, FirstWatch has confirmed that many of these end nodes are compromised Windows servers and have evidence that many of them were illegally “harvested.” The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world.

Robert Masse

Hunting down enemy nation states within your organization (English talk)

For the last 10 years, we have seen major growth of attacks from Advanced Persistent Threats. In our experience, the majority of these groups are well funded government agencies & organized crime syndicates who have been wreaking havoc across important institutions around the world. As FBI director James Comey said in 2014, “there are two big types of companies in the US – those who’ve been hacked by the Chinese and those who don’t know they have been hacked by the Chinese”.

Just two years ago, I wouldn’t have believed this myself.

With the recent uptick of attacks against organizations with massive databases containing personal information, more companies than ever are at risk from being compromised. This presentation will cover real-life experiences of several investigations we have done around the world and provide valuable lessons learned on how to detect and protect yourself from these advanced threat actors.

Roy Firestein

Cymon - An Open Threat Intelligence System (English talk)

In this talk we will debut the first formal public offering of a new cyber monitoring tool we have called Cymon. It is a freely-available tracker of open-source security reports on malware, botnets, phishing and other malicious activities. At the time this abstract was written, on a daily basis Cymon was ingesting well over 60K events and 17K unique IP’s from almost 200 sources across the Internet to build a threat profile and timeline for IP’s, Domains and URLs.

This talk will demonstrate some of the system’s capabilities and show examples of how you can use Cymon to research suspected malicious sources. The architecture and lessons learned when building a scalable system for big data analysis will also be discussed in detail.

Nadeem Douba

BurpKit: Using WebKit to Own the Web (English talk)

Today's web apps are developed using a mashup of client- and server-side technologies. Everything from sophisticated Javascript libraries to third-party web services are thrown into the mix. Over the years, we've been asked to test these web apps with security tools that haven't evolved at the same pace. A common short-coming in most of these tools is their inability to perform dynamic analysis to identify vulnerabilities such as dynamically rendered XSS or DOM-based XSS. This is where BurpKit comes in - a BurpSuite plugin that integrates the power of WebKit with that of BurpSuite. In this presentation we'll go over how one can leverage WebKit to write their own web pen-testing tools and introduce BurpKit. We'll show you how BurpKit is able to perform a variety of powerful tasks including dynamic analysis, BurpSuite scripting, and more! Best of all, the plugin will be free and open source so you can extended it to your heart's desire!

Shane MacDougall

I Am Joe's Twitter Profile: An OSINT/Social Engineering Journey Through An IT Pro's Social Media Profile (English talk)

This hands on presentation will travel through the very public profile of a real life IT professional and will follow his various trails online, both current and abandoned, illustrating in graphic detail the gory details that he has left behind that would enable an attacker to successfully target him. From image intelligence via Flickr, to attack intelligence from code repositories, we disassemble five years of online social media presence to tell a cautionary tale of why security professionals should use social media with extreme caution.

Paul Timmins

Security Implications of the Public Switched Telephone Network, with Q&A (English talk)

Why is caller ID spoofing nearly impossible to prevent? What are the strengths and weaknesses of the telecommunications network? What are the security considerations you have to consider when converging your voice and data telecommunications? What are the biggest mistakes people make when installing new telephone equipment that open them up to fraud, denial of service, and eavesdropping? Learn from my daily experiences how to safely deal with the oldest telecommunications network in the world. Why some simple solutions in the industry are not that simple, but some harder solutions are easier than you think. How can you get a start in the industry without a lot of money? Why your lowest technology equipment can be the strongest security risk in your entire company.

Mario Contestabile

RASP vs. WAF (English talk)

Hackers, meet your match. No longer are web applications an easy target. You have been getting away for too long with laughing at poor programming practices, pissing on every parameter,and downloading entire tables from Web requests. In this talk, I will show a hands-on demo of a live application with a RASP, and without. I will cover the benefits of a RASP over a WAF, and explain how web sites should no longer rely on dumb traffic level regex tools for their security.

I will attack a vulnerable web application, and demonstrate how a typical attack is carried out on it. Afterwards I will repeat the exercise on the same application, but this time with a RASP installed. I will point out what the key differences are, and in a vendor neutral manner show key mechanisms which differentiate a RASP from a WAF or a firewall.

I will cover how brute force protection is done right, how aggregating application usage and sharing this data is beneficial, and how using a RASP can even be integrated into a SDLC.

Logan Best

Multi-Layer DDoS Mitigation Strategies (English talk)

This session will focus on real world deployments of DDoS mitigation strategies in every layer of the network. It will give an overview of methods to prevent these attacks and best practices on how to provide protection in complex cloud platforms. The session will also outline what we have found in our experience managing and running thousands of Linux and Unix managed service platforms and what specifically can be done to offer protection at every layer. The session will offer insight and examples from both a business and technical perspective.

Philippe Arteau

Rosetta Flash is a vector of attack that take advantage of JSONP API. The vulnerability has create a shock wave as many big websites were affected : Google Accounts, Facebook, eBay, Twitter, LinkedIn and many mores. Adobe has release a fix in July of 2014 to mitigate the obvious scenario. The presentation will review the history of the vulnerability and it will present many variations of this attack that are still effective. You might discover that your website is vulnerable..

Kellman Meghu

DevOps For The Home (English talk)

This is the story one mans personal trip to the cloud (and back) as he rebuilds his home network in a devops model, supported by virtual private cloud service. This presentation takes a micro look at cloud services, and the benefits and risks that come along with it for the average home user, as well as the business. You shouldn't be
surprised to see that they are the same, just at a micro level. With realtime micro level data we can tell a story, without all the abstraction, that can sometimes reveal more than all this big data. With a glimpse into the detailed benefits of a DevOps environment supporting cloud integration, and featuring the feedback of the HomeNet CISO, 'Security Cat', we will have some fun stripping away all the pretty abstraction and explore the benefits of the integration of public cloud services. I said I would never do it, but alas, here I am, I'm in the cloud.

A wide range of sensitive data is compromised across all industries from businesses both big and small, and also from individuals. These include: Personally Identifiable Information (PII), Financial data, Health data, Education data, Payment Card data, Login Credentials, Intellectual Property, etc. In news stories data breaches are almost always attributed to Hacking or Malware attacks. While Hacking or Malware attacks play a big role in data breaches, they do not account for all breaches. Other breach methods frequently observed are: Insiders, Theft or Loss, and Unintended Disclosures. The perpetrators compromising sensitive data are a diverse group that includes Insiders, Individual criminals, Organized groups, and State sponsored groups. It has been observed that the stolen data is commonly used for committing crimes such as Financial fraud, Identity theft, Intellectual Property theft, Espionage, Blackmail, and Extortion.

In this talk we present statistical analysis of publicly disclosed data breach incident reports. We look at the different types of crimes commonly committed using stolen sensitive data. Based on our analysis we present a Bayesian Network to model commonly observed data breach scenarios. We survey criminal marketplaces hosted in the Deep Web to profile the different types of sensitive data available for purchase and their asking prices. Finally we outline defensive methods businesses and individuals can practice to prevent becoming victims of data breach crimes.

Nicolas Grégoire

Server Side Browsing (Conférence en français)

SSRF vulnerabilities (aka CWE-918) allows attackers to submit arbitrary URL to vulnerable applications, and have the application (or one of its components) browse this URL. The talk describes my latest findings regarding this narrow field of AppSec. Of course, being under NDA during my penetration tests, I'll only covering bugs reported to bounties
programs. That includes Yahoo, Facebook, Prezi, PayPal, Stripe, CoinBase, and more!

Highlights: I was able to compromise some large service providers and earned around 50,000$ for that. Several blacklists were bypassed using little-known quirks in the parsing of URL.

Roberto Salgado

Hacking like a boss (English talk)

Sometimes the difference between being able to penetrate a system successfully or fail miserably can be the knowledge of a certain tool, a one line command or being able to evade AV/Firewall detection. Hacking doesn't always have to be complicated, with simple techniques one can usually obtain Domain Admin privileges in a few steps. This talk will include tips & tricks to "Hack like a Boss" and gain an advantage when pentesting a system. It will present some essential tools, evasion techniques for filters, firewalls, proxies, and antivirus to not trigger any alarms, show methods to obfuscate Metasploit payloads and bypass heuristic detection to be FUD, Unicode attacks and much more.